SecureWorks researcher Don Jackson was focused on his technical
analysis of form-grabbing software, but he continued
correspondence with the source who gave him access to
76service.com. After several email exchanges with Jackson, the
source decided that he could trust him enough to share what he
knew about the people behind 76service. This is part of what he
shared.

He told Jackson that the operation was run by just two
people, known as 76 and Exoric. 76 was in Russia. Exoric seemed
to be based out Mexico.

76 was a member of the HangUp Team who broke off to launch
this service. He probably bought the Haxdoor form-grabbing code
grafted onto Gozi from his old crew. He might have traded for
it. He also probably had a relationship with the RBN form his
HangUp Team days. The lack of manpower beyond the two of them
might also explain some of the mistakes 76service made, such as
the direct connection to RBN servers and the site configuration
that allowed Jackson to view other people’s projects. It
appears 76 recruited Exoric for his server-side knowledge,
whereas 76 was coding the actual Trojan.

Jackson was sharing all of this with a field agent from the
local FBI office, who sent it up to agents in DC, who in turn
coordinated with Russian authorities on an investigation,
according to Jackson. (The FBI has refused to comment
specifically on the case). Meanwhile Jackson contacted
Infraguard which in turn shared his findings with financial
institutions. Jackson wrote an exhaustive technical report, one
of the most detailed ever created, that covered
both how Gozi worked and how the service did, too. After he
published it, and his PR team spread the word, the press
pounced: “Gozi Trojan leads to Russian Data
Hoard.”

Gozi had been known to be in the wild for at least three
months. But Jackson also believed that the “Winter
Edition” of 76service was by no means the first edition.
He suspected that 76service had been operating undetected for
perhaps as long as 9 months.

But by mid-March, the good guys seemed to be getting ahead
of it. Anti-virus and anti-spyware vendors were adding Gozi
signatures to their products to detect the bot. 76service
servers had been sent on the run as the FBI and ISPs detected
and blocked the IP addresses that Gozi connected to, forcing 76
and Exoric to move the site around constantly. Around March 12,
the loose coalition of FBI, researchers, ISPs and others
finally seemed to get the 76service shut down.

This spurred a fire sale of whatever data had been left
unsold at 76service. Jackson says that after March 12, some
banks saw hundreds of accounts opened each day that were traced
back to Gozi-grabbed data. Some of those account holders
managed to make several cash transfers up to $49,000.
“They’re playing with limits on fraud,” says
Jackson. That is, they know the banks won’t flag 5
transfers under 50 grand, but will flag one $250,000 transfer.
Jackson says many of these transfers were wired to, of all
places, Belgium, though he didn’t know if anyonehad been
caught picking up the cash there. Some other accounts were
detected and blocked from activity before transfers were made.
Jackson says the United States Secret Service was briefed. (The
USSS declined to comment). Gozi and 76service finally seemed to
be contained.

But it hardly mattered. By this time, another form-grabbing
Trojan had been discovered: Torpig.